Bybit Create API Key Step by Step 2026: The Exact Permissions Setup Most Traders Get Wrong
Creating a Bybit API key step by step in 2026 takes 5 steps: profile icon → Account Settings → API Management → "Create New Key" → select "System-generated API Keys," choose "API Transactions" as the key type, set permissions, add an IP whitelist, then confirm with Google Authenticator. Per the Bybit Help Center: "Choose 'API Transactions' when creating your new key for UTA account access. Then copy the generated key and secret."
That's the core process. What most traders don't know: if your account is under 48 hours old, Bybit won't let you create a key at all. And if your key predates April 9, 2026, it may lack the permission scopes for a new batch of earn and borrowing endpoints that went live this week.
Bybit's V5 API logged 9 changelog entries between April 7 and April 10, 2026 alone. New fields have appeared, legacy fields are heading toward deprecation, and the permission surface has grown. If you're connecting Bybit to a copy-trading platform, a bot, or a portfolio tracker right now, this guide covers every step and every decision point.
How to Generate an API Key in Bybit: The 5-Step Process
Bybit's API Management screen is the single control surface for key creation on the platform. The V5 API Integration Guide confirms the Unified Trading Account uses one authentication layer for Spot, Derivatives, and Options, which means one key setup gets you access to all three. The path starts at your profile icon in the top-right corner of any Bybit page. Select Account Settings, then open API Management. Here's the process in order:
Step 1. Click your profile icon in the top-right corner of any Bybit page.
Step 2. Go to Account Settings → API Management.
Step 3. Hit "Create New Key." Select "System-generated API Keys." (Not self-generated, which requires you to supply your own RSA public key.)
Step 4. Select "API Transactions" as the key purpose. This step is required for Unified Trading Account access. Per the Bybit Help Center: "Choose 'API Transactions' when creating your new key for UTA account access. Then copy the generated key and secret." You won't see the secret again after leaving this screen.
Step 5. Set permissions, add an IP whitelist, and confirm with Google Authenticator 2FA. No 2FA active on your account means no key. Full stop.
One practical note: if you're connecting Bybit to a copy-trading platform like AO Shadow, you'll run this setup once and paste both the key and secret into the platform's connection screen. The key doesn't change unless you rotate it or regenerate it after an April 2026 permission update.
The Permissions That Matter (and the One to Leave Off)
Bybit API key permissions fall into three categories: Read-Only, Trade, and Withdraw. A fourth control, the IP whitelist, isn't technically a permission field, but it's the most important security setting you can configure. Getting this right is the difference between a key that does its job and one that hands an attacker access to your funds.
For a trading bot or copy-trading setup, here's the correct configuration:
| Permission | Enable for Bot? | Why |
|---|---|---|
| Read-Only | Yes | Balance checks, order history, position reads |
| Spot Trade | Yes (if trading spot) | Order placement on spot markets |
| Derivatives Trade | Yes (if trading perps or futures) | Required for UTA futures and perpetuals access |
| Transfer | No | Only needed for moving funds between sub-accounts |
| Withdraw | Never | Creates a fund-drain risk if the key is ever compromised |
| IP Whitelist | Always | Locks the key to your specific server or machine |
The Withdraw permission is where traders cost themselves real money when keys get compromised. A key with Trade access only, bound to a static IP, can't move funds out of your account even if someone extracts it from a config file or leaked repo. Enable Withdraw on a key with no IP restriction, and you've created an open door.
The IP whitelist is not optional if you're serious about security. Per the Bybit Help Center, keys remain inactive for withdrawals unless the IP whitelist is set. The broader principle applies across all key types: bind the key to the machine that will use it.
For more on the copy trading permission setup specifically, the Bybit Copy Trading API explained guide covers what to automate and what to leave manual.
What Changed in April 2026: New Fields, New Endpoints, Old Keys at Risk
Bybit's V5 API logged 9 changelog entries between April 7 and April 10, 2026, per the V5 API Changelog. Most of these changes won't affect traders using keys purely for standard spot or futures trading. But if your bot or platform touches earn products, fixed-rate borrowing, or liquidity mining, existing keys may be missing the scopes those new endpoints require.
Here's what changed across those four days:
| Date | Update | Impact on Existing Keys |
|---|---|---|
| April 7, 2026 | 'Smart Leverage' and 'Double Win' earn products added | New endpoints; legacy keys excluded |
| April 8, 2026 | 'BYUSDT' earn product released | Separate endpoint older keys can't reach |
| April 9, 2026 | 'FiatBitPay' permission field introduced; 4 new fixed-rate borrowing endpoints added; 'Get Liability Info' endpoint live | Legacy 'FiatBybitPay' field remains active during transition |
| April 10, 2026 | 'Liquidity Mining' product endpoint added | New scope required for portfolio-margin users |
The key line from the V5 API Changelog: "API key permissions updated: 'FiatBitPay' field introduced (legacy 'FiatBybitPay' remains during transition)."
That transition won't run indefinitely. If your setup touches any of the earn or borrowing features added this week, regenerate your key now with the updated permission scope. Keys created before April 9 still work for standard trading but won't reach the 4 fixed-rate borrowing endpoints or the Liquidity Mining product endpoint added April 10.
If you're using AO Shadow's automated position management, none of these earn-product changes affect your setup. Shadow uses read and trade permissions only, and those endpoints haven't changed.
The 48-Hour Cooldown and Other Setup Traps
Three things catch traders off guard the first time they try to create a Bybit API key. Knowing them in advance means you won't lose half a day chasing a problem that has a simple explanation.
The first is the cooldown. Per the Bybit Help Center: "For new users, API key creation may be restricted for the first 48 hours after registration for risk control purposes." The API Management page looks completely normal, but the "Create New Key" button simply won't appear. You're not doing anything wrong. The platform just won't let you proceed. The fix is planning: register your Bybit account before you need it, not the same day you're trying to connect a bot.
The second is the secret copy window. After completing the 5-step process, Bybit displays your API secret exactly once. Leave that screen without copying it, and you'll need to delete the key and create a new one. There's no "show secret again" option anywhere in Account Settings.
The third affects Japanese residents specifically. From January 2026, Bybit began rolling out service restrictions for users in Japan. The Cryptact Help Center notes: "From 2026 onward, Bybit will begin implementing service restrictions for users residing in Japan. There may be limitations on the availability of transaction history via API as a result of these restrictions." If you're in Japan and use any tax tool or portfolio tracker that pulls transaction history via API, export your full history now. These restrictions may deepen across 2026.
One final discipline worth building in: Bybit issues a 90-day key rotation reminder. Build that into your calendar. A key rotated quarterly, bound to a static IP, with no Withdraw permission enabled is as well-protected as Bybit's setup allows.
FAQ
How to generate API key in Bybit?
Go to your profile icon → Account Settings → API Management → Create New Key → choose "System-generated API Keys" → select "API Transactions" → set permissions → add an IP whitelist → confirm with Google Authenticator 2FA. Copy the key and secret immediately after generation. The full process takes under 5 minutes once your account is over 48 hours old.
How do I generate my own API key?
At the "Create New Key" step in API Management, Bybit offers system-generated or self-generated options. Self-generated keys require you to supply your own RSA public key. For most traders connecting to bots or copy-trading platforms, the system-generated option is simpler and fully supported across Bybit's V5 API, per the V5 API Integration Guide.
How to get Bybit setup key?
"Setup key" typically refers to the Google Authenticator code required to enable 2FA before API key creation. Set up Google Authenticator on your phone, link it to your Bybit account under Security Settings, then use the rotating 6-digit code at the final step of API key creation. Without active 2FA on your account, Bybit won't issue a key.
Should I enable Withdraw permission on my API key?
No. Never enable Withdraw for a trading bot or copy-trading connection. A key with Read and Trade permissions only, bound to a whitelisted IP, can't drain your account even if the key is compromised. Enable Withdraw only for specific withdrawal-automation tools, and only when an IP whitelist is also active.
What is the 'FiatBitPay' permission field added in April 2026?
'FiatBitPay' is a new API key permission field introduced by Bybit on April 9, 2026, replacing the legacy 'FiatBybitPay' field. The old field remains active during the transition period, but keys needing access to new payment or fiat-conversion endpoints should be regenerated with the updated 'FiatBitPay' scope before the legacy field is deprecated.
Once your key is live, the next step is putting it to work. AO Shadow connects to Bybit using read and trade permissions only, automating exits, trailing stops, and position tracking across your Unified Trading Account. No Withdraw permission needed, setup takes about 10 minutes, and you can see every trade on the live dashboard before committing anything.
